Posts

Egregor Ransomware

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity for Egregor Ransomware. The Egregor sample below is a library (DLL) that contains code and data that can be used by more than one program at the same time. The library is highly obfuscated and encrypted using Salsa20, ChaCha Stream Cipher and RSA encryption. This makes analysis difficult to bypass from the reverse engineering and debugging point of view.

The library contains export functions that are required to be called from other stages of the infection chain. The export function parameters usually accept the key or password to unlock, deobfuscated, and decrypt the code sections. Once the sample is done unwinding, it will release the payload hidden inside. The key and/or password is normally unique or specific to each sample. This key and/or password is always located somewhere inside the sample. It’s up to the researcher to locate the desired information inside.

The command we can use to bypass the distribution methods below for debugging:
regsrv32.exe path_to_dll DllRegisterServer param1 param2

Egregor, releases stolen data on their website egregornews to increase pressure on the victim to pay the ransom. Egregor News, is used to post the names and domains, along with data sets of Egregor victims.

Distribution Methods & Tactics:

  • Cobalt Strike
  • RDP Exploit
  • Phishing
  • CVE-2020-0688
  • CVE-2018-8174
  • CVE-2018-4878
  • CVE-2018-15982
  • QBot
  • Ursnif
  • icedID

RaaS News Website:

Stage 1, Static Information:

ChaCha / Salsa20 Initial State Information:

Stage 1: uses a implementation of ChaCha(2008)/Salsa20(2005) as the main encryption. The “nothing-up-my-sleeve number”, which is used to pinpoint ChaCha or Salsa20 is “expand 32-byte k” This is considered the algorithm constant and “nothing-up-my-sleeve number”. When you see this constant its considered a 256 bit implementation. The 32-byte constant can be seen below:

The key used for unlocking stage 1:
“Elon Musk 2024! To The Future!!!” and “SpaceX!!”
The words are filtered, parsed and rearranged for parts of the ChaCha decryption stage.

Stage 1, Dynamic Information:

Start of Encrypted Data

End of Encrypted Data

The size of the encrypted data: 0x4EAADh or 322,221d.

After Decryption:

String Artifacts:

Two of the parameters shown in this picture above are (dash dash)del and (dash dash)dubisteinmutterficker.
dubisteinmutterficker is German for “you’re a mother fucker.”
We also see references to Elon Musk and SpaceX.

2nd Stage, Commands Payload Will Accept:

Egregor’s payload can accept several command line arguments, including:

  • –fast: Is used to limit file size for encryption.
  • –full: perform encryption of the full victim system (including local and network drives).
  • –multiproc: multi-process support.
  • –nomimikatz: Mimikatz is an open source toolkit.
  • –nonet: does not encrypt network drives.
  • –path: specific folder to encrypt.
  • –target: target extension for encryption.
  • –append: file extension to append to encrypted files.
  • –norename: does not rename the files it encrypts.
  • –greetings: prepends the name to the ransom note, presumably to directly address the victim.
  • –samba: provide shared access to files, printers, and serial ports between nodes.
  • –killrdp: remote desktop protocol

The most common command that is used is (-full).

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Egregor.RSM (Trojan)

Appendix:

Sample SHA256 Hash: 38b155b6546db882189cc79bcac0b0284d3f858e0feb1e5dbc24b22f78cdfb68

Most exploited vulnerabilities in this month

SonicWall Threat Research Lab has observed the vulnerabilities that are actively being exploited from the beginning of this month. Please find below the list of vulnerabilities, vendor advisory information  and the SonicWall signatures to protect against these exploits 

CVE-2017-11882 | Microsoft Office EQNEDT32 Stack Buffer Overflow

This is a stack buffer overflow vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded Equation Editor OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

GAV: 21982  Malformed.doc.MP.10
GAV: 4094 JScript.Doc_229

CVE-2017-0147 | Microsoft Windows SMB Server SMBv1 CVE-2017-0147 Information Disclosure

This is an information disclosure vulnerability in the SMBv1 component of Microsoft Windows SMB server. The vulnerability is due to improper handling of SMBv1 requests. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted SMB messages to a target server. Successful exploitation could result in the disclosure of sensitive information from the target server

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147

GAV Cloud ID: 55251134 WannaCrypt

CVE-2010-2568 | Microsoft Windows LNK File Code Execution

This exists in Microsoft Windows that may allow execution of arbitrary code on the target machine. The vulnerability is due to a design weakness in Windows Shell which incorrectly parses shortcuts in such a way that malicious code may be executed when the crafted file is opened either manually or automatically with Windows Explorer. This can be most likely exploited through removable drives containing malicious LNK files, especially on systems that have AutoPlay enabled.

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046

IPS: 13508 LNK File HTTP Download 2

CVE-2017-8570 | Microsoft Office Remote Code Execution Vulnerability

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to incorrect handling of embedded OLE objects in Office documents. A remote attacker could exploit this vulnerability by enticing a user to open a specially crafted file. Successful exploitation could lead to arbitrary code execution under the context of the currently logged on user. 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570

GAV: 32260 JScript.RTF_4

CVE-2013-3346 | Adobe Acrobat Reader ToolButton Use After Free

A use after free vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to an error in the handling of callback functions associated with ToolButton objects. A remote attacker can exploit this vulnerability by enticing the user to open a specially crafted file. Successful exploitation could result in arbitrary code execution in the context of the currently affected user.

http://www.adobe.com/support/security/bulletins/apsb13-15.html

IPS: 6207 HTTP Client Shellcode Exploit 42

CVE-2010-2883 | Adobe Acrobat and Reader CoolType.dll Stack Buffer Overflow

A code execution vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to a stack-based buffer overflow error within the CoolType.dll module when handling PDF files containing TTF fonts. Remote attackers could exploit this vulnerability by enticing target users to open a malicious PDF document. Successful exploitation would result in arbitrary code execution in the context of the logged on user.

http://www.adobe.com/support/security/advisories/apsa10-02.html

GAV– 43643 Malformed.pdf.MT.2

CVE-2015-1641| Microsoft Office Component CVE-2015-1641 Use After Free

This is a remote code execution vulnerability in Microsoft Office. The vulnerability is due to improper manipulation of objects in memory while parsing specially crafted Office files. A remote attacker can exploit this vulnerability by enticing a user open a maliciously crafted Office file. Successful exploitation could result in code execution in the context of the affected user.

https://technet.microsoft.com/en-us/library/security/ms15-033.aspx

GAV: 43643 Malformed.pdf.MT.2

CVE-2018-8174 | Microsoft Windows VBScript Engine CVE-2018-8174 Use After Free

A memory corruption vulnerability exists in the Microsoft Windows VBScript engine. The vulnerability is due to the way that the VBScript engine handles certain objects in memory.
A remote attacker can exploit this vulnerability by enticing a user to open a crafted web page using Internet Explorer or a crafted Microsoft Office document.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

IPS: 4604 HTTP Client Shellcode Exploit 1

CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. This affects Win32k, Windows, Windows Kernel, Windows Common Log File System Driver, DirectX Graphics Kernel & Windows Image. A local, authenticated attacker could exploit these vulnerabilities by running a maliciously crafted application on the target system. Successful exploitation allows the attacker elevate their privileges to an administrative level on the target.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120

GAV Cloud Id: 66194921 Btrojan Exploit

The risk posed by these vulnerabilities can be mitigated by upgrading to the latest non-vulnerable version

"Double Kill", CVE-2018-8174

Vulnerability Info:

A zero day exploit was discovered in the Microsoft VBScript engine around the middle of April called “Double Kill”. The (RCE) Remote Code Execution vulnerability is labeled as a (UAF) Use-After-Free memory corruption bug. Weaponizing this exploit using arbitrary code could gain the attacker the same user rights as the current user. The vulnerability was given the CVE-ID of (CVE-2018-8174).

 

Other Vulnerabilities Being Used:

CVE-2018-8174 isn’t the only Windows vulnerability being reported and used in the wild. Attackers are also exploiting Microsoft Office documents with the “OLE Autolink Object Exploit” (CVE-2017-0199, considered Stage 1) to send out requests to remote servers for new and exciting payloads aka (Stage 2 Packages). Once the victim receives (Stage 1) the initial malicious Microsoft Word document will visit a remote server to pull down another type of file (Stage 2) with either the “Content-Type” of “application/hta” or “text/scriptlet” that will use the exploit (CVE-2018-8174) to trigger the next stage of the infection chain. Lets trace through the first stage together.

 

CVE-2017-0199 Walk-through:

Following (Stage 1): b48ddad351dd16e4b24f3909c53c8901, the Microsoft Office (.rtf) document. The file leverages (CVE-2017-0199), lets dump the (Nesting Levels) with our favorite .rtf application:

From the output above we can peer inside the following objects 311, 314, 317, 320, 321 and 322. Using a few basic YARA signatures to search for ( http & RTF_Object ) strings we can check each object of interest. We see the following output:

Item 317 shows the following data:

Item 311 shows the following data:

When we peer inside one of the other items say, item 320. We will see the following (Unicode) data. Directly above this (Unicode) data at location (0x14C0) we will see what is considered to be the shellcode to execute the url in this data. However, we will not cover the shellcode at this time.

The following GET Request would look like:

We could follow this into (Stage 2) next. However, You can see from the technique we used above. Sometimes you have to fish around until you find the correct object that has the web link and shellcode. This would be an example script for (Stage 2). It normally would also have a “HTTP” header from the remote server with it:

Exploit Kits Being Used:

With the “Double Kill” exploit weaponized and the code being built into RIG EK, corporate organizations that haven’t patched (CVE-2018-8174) will be vulnerable to the attackers delivery methods. Weaponized source code has also been seen in the ThreadKit, an exploit builder that can be used to create weaponized Microsoft Office Documents. It’s accessible to cyber criminals with little technical expertise (script kiddies). The Double Kill exploit option is said to be for purchase at or around $400 dollars a download online. An exploit kit lures victims to a malicious website and infects them through the browser; this one lets attackers create weaponized Microsoft Office documents that can be distributed however the attacker wants.

 

CVE-2018-8174 Walk-through:

The code below exploits the VBScript vulnerability by using the deprecated method Class_Terminate(). The code will overload the Class_Terminate() method being destroyed. The Class_Terminate() method adds a reference, that VBScriptClass:Release() fails to check. Resulting in a (UAF) Use-After-Free vulnerability when the added reference is accessed.

Note that the Pageheap must be enabled in order to trigger the crash in a stable manner. We do this by running gflags.exe with the command ( gflags /i iexplorer.exe +ust +hpa ). Once the command is executed we can now show a proof of concept that has been tested on Windows 7 inside iexplorer.exe below:

 

Trend Graph:

The trend line below shows how this attack is being used in the wild today:

 

Updates and Micro-Patches:

The flaw exists in all versions of Windows, Microsoft has already released a patch back in May. Users are reporting Windows 7 updates are causing networking issues. The network issues may cause some users to decide not to update their computers which would leave them open to attack. On Tuesday June 12th, Microsoft will release another patch. There is a good chance that an update will be released for Windows 7 users.

 

Detection & Classification:

SonicWALL Threat Lab Research Team provides protection against this threat via the following signature:

  • IPS: 4601 HTTP Client Shellcode Exploit 1

Microsoft Security Bulletin Coverage for May 2018

Sonicwall Capture Labs Threats Research Team has analyzed and addressed Microsoft’s security advisories for the month of May 2018. A list of issues reported, along with SonicWall coverage information are as follows:

CVE-2018-0765 .NET and .NET Core Denial Of Service Vulnerability
There are no known exploits in the wild.

CVE-2018-0824 Microsoft COM for Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2018-0854 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-0905 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2018-0943 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-0945 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-0946 Scripting Engine Memory Corruption Vulnerability
IPS :13323 Scripting Engine Memory Corruption Vulnerability (MAY 18)

CVE-2018-0951 Scripting Engine Memory Corruption Vulnerability
IPS :13324 Scripting Engine Memory Corruption Vulnerability (MAY 18) 2

CVE-2018-0953 Scripting Engine Memory Corruption Vulnerability
IPS :13325 Scripting Engine Memory Corruption Vulnerability (MAY 18) 3

CVE-2018-0954 Scripting Engine Memory Corruption Vulnerability
IPS :13326 Scripting Engine Memory Corruption Vulnerability (MAY 18) 4

CVE-2018-0955 Scripting Engine Memory Corruption Vulnerability
IPS :13327 Scripting Engine Memory Corruption Vulnerability (MAY 18) 5

CVE-2018-0958 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-0959 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2018-0961 Hyper-V vSMB Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2018-1021 Microsoft Edge Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2018-1022 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-1025 Microsoft Browser Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2018-1039 .NET Framework Device Guard Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-8112 Microsoft Edge Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-8114 Scripting Engine Memory Corruption Vulnerability
IPS :13328 Scripting Engine Memory Corruption Vulnerability (MAY 18) 6

CVE-2018-8115 Windows Host Compute Service Shim Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2018-8119 Azure IoT SDK Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2018-8120 Win32k Elevation of Privilege Vulnerability
ASPY :5145 Malformed-File exe.MP.35

CVE-2018-8122 Scripting Engine Memory Corruption Vulnerability
IPS :13329 Scripting Engine Memory Corruption Vulnerability (MAY 18) 7

CVE-2018-8123 Microsoft Edge Memory Corruption Vulnerability
ASPY: 5049 Malformed-File html.MP.71

CVE-2018-8124 Win32k Elevation of Privilege Vulnerability
ASPY: 5145 Malformed-File exe.MP.35

CVE-2018-8126 Internet Explorer Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-8127 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2018-8128 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8129 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-8130 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8132 Windows Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-8133 Chakra Scripting Engine Memory Corruption Vulnerability
ASPY: 5135 Malformed-File html.MP.76

CVE-2018-8134 Windows Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8136 Windows Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2018-8137 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8139 Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8141 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2018-8145 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8147 Microsoft Excel Remote Code Execution Vulnerability
ASPY: 5137 Malformed-File xls.MP.61

CVE-2018-8148 Microsoft Excel Remote Code Execution Vulnerability
ASPY: 5138 Malformed-File xls.MP.62

CVE-2018-8149 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8150 Microsoft Outlook Security Feature Bypass Vulnerability
There are no known exploits in the wild.

CVE-2018-8151 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8152 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8153 Microsoft Exchange Spoofing Vulnerability
There are no known exploits in the wild.

CVE-2018-8154 Microsoft Exchange Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8155 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8156 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8157 Microsoft Office Remote Code Execution Vulnerability
ASPY: 5140 Malformed-File xls.MP.63

CVE-2018-8158 Microsoft Office Remote Code Execution Vulnerability
ASPY: 5141 Malformed-File rtf.MP.23

CVE-2018-8159 Microsoft Exchange Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8160 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2018-8161 Microsoft Office Remote Code Execution Vulnerability
IPS: 13331 Microsoft Office Remote Code Execution (MAY 18) 1

CVE-2018-8162 Microsoft Excel Remote Code Execution Vulnerability
ASPY: 5138 Malformed-File xls.MP.63

CVE-2018-8163 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.

CVE-2018-8164 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8165 DirectX Graphics Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8166 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8167 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8168 Microsoft SharePoint Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8170 Windows Image Elevation of Privilege Vulnerability
There are no known exploits in the wild.

CVE-2018-8173 Microsoft InfoPath Remote Code Execution Vulnerability
There are no known exploits in the wild.

CVE-2018-8174 Windows VBScript Engine Remote Code Execution Vulnerability
IPS: 13321 Windows VBScript Engine Remote Code Execution Vulnerability (MAY 18)

CVE-2018-8177 Chakra Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8178 Microsoft Browser Memory Corruption Vulnerability
There are no known exploits in the wild.

CVE-2018-8179 Microsoft Edge Memory Corruption Vulnerability
IPS: 13322 Microsoft Edge Memory Corruption Vulnerability (MAY 18)

CVE-2018-8897 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.

Adobe Flash (APSB18-16) Coverage :

CVE-2018-4944 Type Confusion Vulnerability

ASPY: 5143 Malformed-File swf.MP.588

Following is the coverage for Adobe Acrobat Reader Bulletin APSB18-16
CVE-2018-4946 Use After Free vulnerability
There are no known exploits in the wild
CVE-2018-4947 Heap Overflow vulnerability
ASPY 1648 : Malformed-File pdf.MP.305
CVE-2018-4948 Heap Overflow vulnerability
ASPY 1647 : Malformed-File emf.MP.56
CVE-2018-4949 Out-of-bounds read vulnerability
ASPY 1649 : Malformed-File emf.MP.57
CVE-2018-4950 Out-of-bounds write vulnerability
There are no known exploits in the wild
CVE-2018-4951 Out-of-bounds read vulnerability
ASPY 1654 : Malformed-File emf.MP.58
CVE-2018-4952 Use After Free vulnerability
There are no known exploits in the wild
CVE-2018-4953 Type Confusion vulnerability
There are no known exploits in the wild
CVE-2018-4954 Use After Free vulnerability
There are no known exploits in the wild
CVE-2018-4955 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4956 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4957 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4958 Use After Free vulnerability
ASPY 5131 : Malformed-File pdf.MP.307
CVE-2018-4959 Use After Free vulnerability
ASPY 5142 : Malformed-File pdf.MP.308
CVE-2018-4960 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4961 Use After Free vulnerability
ASPY 5146 : Malformed-File pdf.MP.309
CVE-2018-4962 Out-of-bounds read vulnerability
ASPY 5147 : Malformed-File pdf.MP.310
CVE-2018-4963 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4964 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4965 Buffer Errors vulnerability
There are no known exploits in the wild
CVE-2018-4966 Heap Overflow vulnerability
There are no known exploits in the wild
CVE-2018-4967 Out-of-bounds write vulnerability
There are no known exploits in the wild
CVE-2018-4968 Heap Overflow vulnerability
ASPY 5152 : Malformed-File emf.MP.62
CVE-2018-4969 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4970 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4971 Use After Free vulnerability
There are no known exploits in the wild
CVE-2018-4972 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4973 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4974 Use After Free vulnerability
ASPY 5151 : Malformed-File pdf.MP.313
CVE-2018-4975 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4976 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4977 Use After Free vulnerability
ASPY 5151 : Malformed-File pdf.MP.313
CVE-2018-4978 Heap Overflow vulnerability
ASPY 5150 : Malformed-File emf.MP.61
CVE-2018-4979 Security bypass vulnerability
There are no known exploits in the wild
CVE-2018-4980 Use After Free vulnerability
There are no known exploits in the wild
CVE-2018-4981 Out-of-bounds read vulnerability
ASPY 1649 : Malformed-File emf.MP.57
CVE-2018-4982 Heap Overflow vulnerability
ASPY 5150 : Malformed-File emf.MP.59
CVE-2018-4983 Use After Free vulnerability
ASPY 5149 : Malformed-File pdf.MP.312
CVE-2018-4984 Heap Overflow vulnerability
There are no known exploits in the wild
CVE-2018-4985 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4986 Out-of-bounds read vulnerability
There are no known exploits in the wild
CVE-2018-4987 Untrusted pointer dereference vulnerability
ASPY 5148 : Malformed-File pdf.MP.311
CVE-2018-4988 Use After Free vulnerability
There are no known exploits in the wild
CVE-2018-4989 Use After Free vulnerability
There are no known exploits in the wild
CVE-2018-4990 Double Free vulnerability
There are no known exploits in the wild
CVE-2018-4993 Data leakage (sensitive) vulnerability
ASPY 1650 : Malformed-File pdf.MP.306